Docs/quick-docs
1
0
Fork 0
Code Issues 48 Pull requests 1 Projects Releases Packages Wiki Activity Actions

Fix Shared certificates.

Browse source
This commit is contained in:
Robert Krátký 2018-01-21 15:35:53 +01:00
parent f63c41a7c5
commit 2d60ac89f3
5 changed files with 20 additions and 26 deletions
Download patch file Download diff file Expand all files Collapse all files

2
_topic_map.yml
View file

@ -34,6 +34,8 @@ Topics:
File: securing-the-system-by-keeping-it-up-to-date
- Name: Adding or removing software repositories in Fedora
File: adding-or-removing-software-repositories-in-fedora
- Name: Using Shared System Certificates
File: using-shared-system-certificates
- Name: (FIX ME!) Third party repositories
File: 3rd-party-repos
- Name: (FIX ME!) Anaconda

16
en-US/modules/concept_using-the-system-wide-trust-store.adoc → en-US/modules/con_using-the-system-wide-trust-store.adoc
View file

@ -3,12 +3,16 @@
In Fedora, the consolidated system-wide trust store is located in the `/etc/pki/ca-trust/` and `/usr/share/pki/ca-trust-source/` directories. The trust settings in `/usr/share/pki/ca-trust-source/` are processed with lower priority than settings in `/etc/pki/ca-trust/`.
Certificate files are treated depending on the subdirectory they are installed to:
Certificate files are treated depending on the subdirectory they are installed to the following directories:
* `/usr/share/pki/ca-trust-source/anchors/` or `/etc/pki/ca-trust/source/anchors/` - for trust anchors.
* `/usr/share/pki/ca-trust-source/blacklist/` or `/etc/pki/ca-trust/source/blacklist/` - for distrusted certificates.
* `/usr/share/pki/ca-trust-source/` or `/etc/pki/ca-trust/source/` - for certificates in the extended BEGIN TRUSTED file format.
* for trust anchors
** `/usr/share/pki/ca-trust-source/anchors/` or
** `/etc/pki/ca-trust/source/anchors/`
* for distrusted certificates
** `/usr/share/pki/ca-trust-source/blacklist/` or
** `/etc/pki/ca-trust/source/blacklist/`
* for certificates in the extended BEGIN TRUSTED file format
** `/usr/share/pki/ca-trust-source/` or
** `/etc/pki/ca-trust/source/`
NOTE: In a hierarchical cryptographic system, a trust anchor is an authoritative entity which is assumed to be trustworthy. For example, in X.509 architecture, a root certificate is a trust anchor from which a chain of trust is derived. The trust anchor must be put in the possession of the trusting party beforehand to make path validation possible.

12
en-US/modules/proc_adding-new-certificates.adoc
View file

@ -1,15 +1,13 @@
[[sec-Adding-New-Certificates]]
[id='proc_adding-new-certificates']
= Adding New Certificates
.Before you start
.Procedure
To add a certificate in the simple PEM or DER file formats to the list of CAs trusted on the system, copy the certificate file to the `/usr/share/pki/ca-trust-source/anchors/` or `/etc/pki/ca-trust/source/anchors/` directory, for example:
[subs="macros"]
[subs="+quotes,macros"]
----
# cp pass:quotes[_~/certificate-trust-examples/Cert-trust-test-ca.pem_] pass:quotes[_/usr/share/pki/ca-trust-source/anchors/_]
# cp _~/certificate-trust-examples/Cert-trust-test-ca.pem_ _/usr/share/pki/ca-trust-source/anchors/_
----
To update the system-wide trust store configuration, use the [command]`update-ca-trust` command:
@ -20,9 +18,5 @@ To update the system-wide trust store configuration, use the [command]`update-ca
[NOTE]
====
While the Firefox browser is able to use an added certificate without executing [command]`update-ca-trust`, it is recommended to run [command]`update-ca-trust` after a CA change. Also note that browsers, such as Firefox, Epiphany, or Chromium, cache files, and you might need to clear the browser's cache or restart your browser to load the current system certificates configuration.
====
.More information

6
en-US/modules/proc_managing-trusted-system-certificates.adoc
View file

@ -1,10 +1,6 @@
[[sec-Managing-Trusted-System-Certificates]]
[id='proc_managing-trusted-system-certificates']
= Managing Trusted System Certificates
.Before you start
.Procedure
To list, extract, add, remove, or change trust anchors, use the [command]`trust` command. To see the built-in help for this command, enter it without any arguments or with the [option]`--help` directive:

10
en-US/using-shared-system-certificates.adoc
View file

@ -1,15 +1,14 @@
:md: ./modules
[[using-shared-system-certificates]]
= Using Shared System Certificates
The Shared System Certificates storage enables NSS, GnuTLS, OpenSSL, and Java to share a default source for retrieving system certificate anchors and black list information. By default, the trust store contains the Mozilla CA list, including positive and negative trust. The system allows updating of the core Mozilla CA list or choosing another certificate list.
include::{md}/concept_using-the-system-wide-trust-store.adoc[leveloffset=+1]
include::modules/con_using-the-system-wide-trust-store.adoc[leveloffset=+1]
include::{md}/proc_adding-new-certificates.adoc[leveloffset=+1]
include::modules/proc_adding-new-certificates.adoc[leveloffset=+1]
include::modules/proc_managing-trusted-system-certificates.adoc[leveloffset=+1]
include::{md}/proc_managing-trusted-system-certificates.adoc[leveloffset=+1]
[[shared-system-certificates-additional-resources]]
== Additional Resources
@ -17,5 +16,4 @@ include::{md}/proc_managing-trusted-system-certificates.adoc[leveloffset=+1]
For more information, see the following man pages:
* `update-ca-trust(8)`
* `trust(1)`